Didier Stevens

Sunday 20 October 2019

New Tool: simple_tcp_stats.py

Filed under: My Software,Networking — Didier Stevens @ 10:25

My new tool simple_tcp_stats.py is a Python program that reads pcap files and produces simple statistics for each TCP connection.

For the moment, it calculates the entropy of the data (without packet reassembling) of each TCP connection (both directions) and reports this with a CSV file:

ConnectionID;head;Size;Entropy
192.168.10.10:50236-96.126.103.196:80;’GET ‘;364;5.42858024035
192.168.10.10:50235-96.126.103.196:80;’GET ‘;426;5.46464090792
96.126.103.196:80-192.168.10.10:50235;’HTTP’;3308;6.06151478505
96.126.103.196:80-192.168.10.10:50236;’HTTP’;493;6.73520107812

 

simple_tcp_stats_V0_0_1.zip (https)
MD5: 606DB4208BBC5908D9F32A68DDF90AC6
SHA256: 68B275C58736AE450D23BEA82CC1592936E541E00726D8ED95F5CA8ACB02B7CE

Monday 30 September 2019

Update Of My PDF Tools

Filed under: maldoc,Malware,My Software,PDF,Update — Didier Stevens @ 19:16

This is an update of my PDF tools.

There are a couple of bug fixes for pdf-parser and pdfid.

And 2 new features in pdf-parser, inspired by a private training on maldoc analysis I gave last week. I often get good ideas from my students, and sometimes, even I get a good idea in class 🙂 .

Option -o can now be used to select multiple objects: separate the indices by a comma.

There’s a new environment variable, PDFPARSER_OPTIONS, that can be used to provide extra options you want to include with each execution of pdf-parser.py. This is useful for option -O, an option to parse stream objects.

It’s actually best to always parse stream objects, i.e. always use option -O. But I decided not to make this an option that is on by default, so that the behavior of pdf-parser would remain unchanged. I consider this important for the many people that rely on a predictable behavior of pdf-parser, like teachers and students of infosec trainings where my tools are used/mentioned.

However, always including option -O is tedious and error prone. So now you can have best of both worlds, by defining an environment variable with name PDFPARSER_OPTIONS and value -O.

And finally, I started to add a man page (option -m), like I do with many of my other tools. This is a work in progress: for the moment, it points to my free PDF analysis e-book that explains the use of pdfid and pdf-parser.

pdf-parser_V0_7_3.zip (https)
MD5: 7EB1713631D255B36BC698CD2422C7EB
SHA256: D4D5AC9C26A9D8FEF65CE58A769D3F64A737860DC26606068CCDD3F04FDEA0D7

pdfid_v0_2_6.zip (https)
MD5: 9CCE332914A6C76410F04B7C35DA3155
SHA256: 95F7C91EEFB561F3F3BE9809ED339D85E7109BAA7E128EF056651EE018DBDBA0

Sunday 22 September 2019

Update: strings.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 8:56

This new version of strings.py comes with a new option -T to trim the strings to a given length. And also 2 bug fixes.

strings_V0_0_4.zip (https)
MD5: 8B1F5A6BEBA2BC8BDFF16B99C27050E4
SHA256: 7BBAAB0E83692288BDC35BC0FBDD6B2F8A141280E506131E2818F49BEF31D01A

Saturday 21 September 2019

Update: hex-to-bin.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:04

hex-to-bin.py is a program to convert hexadecimal dumps (text) to binary data.

This new version of hex-to-bin.py can handle different hexdump formats, like registry dumps (text files). Use option -x to handle these hexdumps.

And option -t was added if the input is a text file that is non-ASCII, like UTF16. Option -t can be used to convert the text file.

And it supports Python3, but that code is a kludge. Something I’ll have to do better later.

 

hex-to-bin_V0_0_3.zip (https)
MD5: 0F87942CC9EF566D4C3B5A34073D5399
SHA256: 02447247C59F530CD6559B0FB287E314AC3AB807D843729CA9CE3F16D0930CAB

Wednesday 18 September 2019

Update: pecheck.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds option -l to carve embedded PE files. This will be explained in detail in an upcoming blog post.

pecheck-v0_7_7.zip (https)
MD5: CEFCCC094EF9E29A539092A6ECB77EEE
SHA256: 91041D17A39C7FA4151830AF8FBD151680A04FC617CB0EADDA32D240E9AB9C03

Tuesday 17 September 2019

Update: hash.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version supports CRC32 hashing.

hash_V0_0_7.zip (https)
MD5: 9BE8A26F2940FA2FF5C3671B7BB6DC6F
SHA256: CFA2767F0FAA792F9B75344B2F15FF40267F3EDE77D221B0134F07FDB04E515B

Saturday 14 September 2019

Update: msoffcrypto-crack.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a simple tool to crack passwords of MS Office documents, adds rules via option -r.

In this release, there is only one rule to modify candidate passwords: case toggle.

If you use option -r, all passwords in the provide list will be tested, together with their case toggle variant: Secret -> sECRET.

msoffcrypto-crack_V0_0_4.zip (https)
MD5: D3D7A0475FF1C9AAB7BE773514784465
SHA256: 4A27E0FF50863A925FEE55B8F7D16AD29C2DF5E4611F9493DAEEBA89B5F3DBA9

Tuesday 6 August 2019

Update: pdf-parser.py Version 0.7.2

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bugfix version.

pdf-parser_V0_7_2.zip (https)
MD5: 7D417F2313FF505AC96B80D80495BB78
SHA256: 3CDB98A57DAABC98382BFA361390AE3637F96852F6F078D03A7922766AE14B57

Tuesday 30 July 2019

Quickpost: tcp-honeypot.py & Browser Tests

Filed under: My Software,Networking,Quickpost — Didier Stevens @ 0:00

tcp-honeypot.py is a Python program that allows you to define listeners using dictionaries: they listen on a given TCP port and process connections according to their configuration.

It started as a simple TCP honeypot, but now I use it too if I need a small network server.

For my quickpost “Quickpost: Browsers & Content-Disposition“, I needed a simple web server that would serve a page that I could fully control (headers & body).

I did this with tcp-honeypot. Dictionary dListeners (used by tcp-honeypot) defines the listeners: the keys are the TCP port numbers to listen on, and the values are dictionaries with configuration entries.

As I wanted to serve 3 different pages, I resorted to listen on 3 different ports (8080, 8081, 8082), each would serve a different page. Each dictionary for these listeners contains one entry with key THP_REPLY. Because each listener is very simple it listens for a connection and reads incoming data, discards it, and then sends its reply (regardless of input).

Here is the code to do this (file content-disposition-test.py):

#!/usr/bin/env python

__description__ = 'TCP honeypot configuration for Content-Disposition tests'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2019/04/03'

"""
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk

History:
  2019/04/03: start

Todo:
"""

dListeners = {
    8080:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: inline', '', 'Line 1', 'Line 2', 'Line 3'])},
    8081:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment', '', 'Line 1', 'Line 2', 'Line 3'])},
    8082:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment; filename="test.js"', '', 'Line 1', 'Line 2', 'Line 3'])},
}

THP_REPLY configures a listener to read incoming data when a TCP connection is established, then send a reply (the value of dictionary entry THP_ENTRY) and then close the connection. This value is a string: the HTTP message (start-line, headers and body) to be send to the browser. In stead of defining one long string with start-line, headers and body, separated with carriage return & newline (CR NL), I use convenience function TW_CRNL. When you call convenience function TW_CRNL (Terminate With CR NL) with a list of strings, it terminates each string with CR NL (\r\n) and concatenates all strings into one string, that is returned by the function.

To start the server with this configuration, I just have to run tcp-honeypot.py with content-disposition-test.py as argument.

There are other methods to do this, for example using a single port. I’ll describe these methods in an upcoming blog post.


Quickpost info


Tuesday 16 July 2019

Update: format-bytes.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes brings support for TLV records.

Here is an example with certificates in the Windows registry:

More details will be provided in an upcoming blog post.

format-bytes_V0_0_9.zip (https)
MD5: 2F97370D12A7DBB53EB8B30AA0A40463
SHA256: 87C9F3120673C0E92C9562EC2687B60AA93DAF612CE854939E48F6E902BFBBB4

Next Page »

Blog at WordPress.com.